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Introducing The IBM X-Force Security Research Group 

Protecting our customers from security threats on the Internet by developing 
a comprehensive knowledge of vulnerabilities and attack methodologies and 
applying that knowledge through effective protection technologies. 



IBM X-Force Research and Development 



The world's leading enterprise 
security R&D organization 



Engine 



Support content stream needs 
and capabilities 

Support requirements for 
engine enhancement 

Maintenance and tool development 



Research 



Support content streams 

Expand current capabilities in research to 
provide industry knowledge to the greater 
IBM 




Global security operations center 
(infrastructure monitoring) 



Content Delivery 



Continue third party testing Dominance 

Execute to deliver new content streams 
for new engines 



Industry/Customer Deliverables 



Blog, Marketing and Industry 
Speaking Engagements 

X-Force Database 
Vu lnerability Tracking 

Trend Analysis and Security Anal^ti^s^ 
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X-Force R&D - Research based on rich data sources 



The mission of the 
IBM X-Force® research and 
development team is to: 



Research and evaluate threat and protection issues 
Deliver security protection for today's security problems 
Develop new technology for tomorrow's security challenges 
Educate the media and user communities 



X-Force Research 
14B analyzed Web pages & images 
40M spam & phishing attacks 
54K documented vulnerabilities 
Billions of intrusion attempts daily 
Millions of unique malware samples 

Provides Specific Analysis of: 

• Vulnerabilities & exploits 

• Malicious/Unwanted websites 

• Spam and phishing 

• Malware 

• Other emerging trends 
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IBM X-Force Results? IBM Delivers Real-World Security Effectiveness 

Protecting our Clients "Ahead of the Threat" in 2010 and Beyond 
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Out of the Top 48 Vulnerabilities Disclosed 



"Ahead of the Threat" 
Same Day 
Within 15 Days 



35% (Average 1 yr+) 

54% 

11% 



IBM Clients were Protected before or within 
24hrs of an attack 89% of the time in 2010 
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Vendors Reporting the Largest Number of Vulnerability 
Disclosures in History 






\ 



Vulnerability disclosures up 27%. 
• Web applications continue to be the 
largest category of disclosure. 

Significant increase across the 
board signifies efforts that are 
going on throughout the software 
industry to improve software quality 
and identify and patch 
vulnerabilities. 



Vulnerability Disclosures Growth by Year 

1996-2010 



Cumulative Vulnerability Disclosures 
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Patches Still Unavailable for Many Vulnerabilities 



\ 



44% of all vulnerabilities disclosed 
in 2010 had no vendor-supplied 
patches to remedy the vulnerability. 

■ Most patches become 
available for most 
vulnerabilities at the same 
time that they are publicly 
disclosed. 

■ However some vulnerabilities 
are publicly disclosed for 
many weeks before patches 
are released. 



Patch Release Timing - First 8 Weeks of 2010 



Patch Timeline 


Ail 


Top Vendors 


Same Day 


3400 


1BU 


Week 1 


192 


34 


Week 2 


55 


11 


Week 3 


57 


12 


Week 4 


33 


7 


Week 5 


27 


7 


Week 6 


22 


4 


Week 7 


17 


3 


Week 8 


16 


8 
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Public Exploit Exposures Up in 2010 



Public exploit disclosures up 21% in 2010 versus 
2009 

• Approximately 1 4.9% of the vulnerabilities disclosed 
in 2010 had public exploits, which is down slightly 
from the 15.7% last year 

However more vulnerabilities were disclosed this 
year, so the total number of exploits increased. 

The vast majority of public exploits are released the 
same day or in conjunction with public disclosure of 
the vulnerability. 
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Public Exploit Disclosures 

2006-2010 





Public Exploit Disclosure Timing by Weeks 

2010 
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Figure 53: Fvblic Exploit Disc fosu/es -2006-2010 








True Exploits 504 1078 


1025 1059 


1280 


Percentage of Total 7.3% 16.5% 


13.4% 15.7% 


14.9% 
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Exploit Effort vs. Potential Reward p 

■ Economics continue to play heavily into the exploitation probability of a vulnerability 

■ All but one of the 25 vulnerabilities in the top right are vulnerabilities in the browser, the 
browser environment, or in email clients. 

■ The only vulnerability in this category that is not a browser or email client side issue is the 
LNK file vulnerability that the Stuxnet worm used to exploit computers via malicious USB 
keys. 



High 


Exploit Effort vs. 


Potential Reward 






Sophisticated Attack 

High value vulnerabilities 
Harder to exploit 


Widespread Exploitation 

Inexpensive to exploit 
Large opportunity 
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- cryptographic attack 
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- browser based 
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- Low Impact DoS 
attacks 
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Not Targeted Widely 

Hard to exploit 
Low reward 


Occasional Exploitation 
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Low potential reward 
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Top Attacks seen by X-Force in 2010 



* 






Automated SQL Injection attacks 

Lateral scanning of the entire 
Internet for services with weak 
passwords 

The SQL Slammer worm was 
responsible for a huge amount of 
malicious traffic in 2010 



Rank Event Name Trend Line 


1 SQL_SSRP_Slammer_Worm Down 

2 SQLjnjection Down 

3 PsExec_Service_Accessed Slightly Up 

4 SSH_Brute_Force Slightly Down 

5 JScript_CollectGarbage Up 

6 HTrP_Unix_Passwords Slightly Up 

7 SMB_Mass_Login Down 

8 SMB_Empty_ Password No Change 

9 SQL_Empty_Password Up 



Table 1: Top MSS nigr ■.■■v.v. , ::. , tv $:.jnsw£S snd !rend line 
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Web App Vulnerabilities Continue to Dominate 



Nearly half (49%) of all vulnerabilities 
are Web application vulnerabilities. 
Cross-Site Scripting & SQL injection 
vulnerabilities continue to dominate. 



Web Application Vulnerabilities by Attack Technique 

2004-2010 
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Web Application Vulnerabilities 

»a Percenlage of At Ditclos-ures in 201 D 
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Cumulative Count of Web Application Vulnerability Disclosures 

1998-2010 



20,000 
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Client-Side Vulnerabilities: Web Browser, Document Reader & 
Multimedia Player Vulnerabilities Continue to Impact End 
Users 






\ 



Web browsers and their plug-ins 
continue to be the largest category 
of client-side vulnerabilities. 

2010 saw an increase in the volume 
of disclosures in document readers 
and editors as well as multimedia 
players. 



Vulnerability Disclosure* Related to Critical arul 1 
Document Format Issue* 




Top Client Categories 

*ln Critical and High Client SoJiware V 
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Suspicious Web Pages and Files Show 
No Sign of Waning 






Obfuscation activity continued to 
increase during 2010. 

Attackers never cease to find new 
ways to disguise their malicious 
traffic via JavaScript and PDF 
obfuscation. 

• Obfuscation is a technique 
used by software developers 
and attackers alike to hide or 
mask the code used to 
develop their applications. 



Obfuscation Activity 
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Proliferation of Mobile Devices Raises Security Concerns 



/; 



2010 saw significant increases in the 
number of vulnerabilities disclosed 
for mobile devices as well as number 
of public exploits released for those 
vulnerabilities. 

• Motivations of these exploit 
writers is to "jailbreak" or "root" 
devices enabling various 
functionality not intended by 
manufacturers. 

• Malicious applications were 
distributed in the Android app 
market that used widely 
disseminated exploit code to 
obtain root access to devices 
and steal information. 



^ 
• 



Total Mobile Operating System Vulnerabilities 

2006-201 




I Mobile OS Vulnerabilities 



Total Mobile Operating System Exploits 

2006-2010 




■ Mobile OS Exploits 
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Bot Network Activity on the Rise in 2010 






Trojan Bot networks continued to 
evolve in 2010 by widespread usage 
and availability. 

Zeus (also known as Zbot and Kneber) 
continue to evolve through intrinsic and 
plugin advances. 

Various bot networks based on Zeus 
were responsible for millions of dollars 
in losses over the last few years. 

Microsoft led operation resulted in the 
takedown of a majority of Waldec 
botnet in late February. 

• Communication between 

Waledac's command and control 
centers and its thousands of 
zombie computers was cut off in a 
matter of days. 

Much of the other activity seen is Zeus. 



Botnet Trojan Activity 
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Zeus Crimeware Service 



Hosting for costs $50 for 3 months. 



Masslnfect 



f Firef o* P Op ■era - 2001 







Fully set up ZeuS Trojan with configured FUD 
inary. 
Log all information via internet explorer 

# Log all FTP connections 

# Steal banking data 

# Steal credit cards 

# Phish US, UK and RU banks 

# Host file override 

# All other ZeuS Trojan features 

# Fully set up MalKit with stats viewer inter 
graded. 

#10 IE 4/5/6/7 exploits 

# 2 Firefox exploits 

# 1 Opera exploit" 

We also host normal ZeuS clients for 
$10/month. 

This includes a fullv -^t i in 7PU.Q npnpl/r.nnfinurpH 
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Spammers Focus on Content Rather than Volume 



Spammers made a continuous effort in 2010 to 
regularly change technical contents of spam 
messages rather than increasing volume. 

Moving from random text spam combined 
with random URLs, ZIP Attachments, 
HTML attachments, to significantly 
increasing the average byte size of spam. 

The amount of URL spam using well- 
known and trusted domain names 
declined slightly in the 2nd half of 201 0, 
for the first time in more than two years. 

• 90% of spam is classified as URL spam 

Top Ten Domains Used in Spam 

Spam Domains vs. Trusted Domains 

tillage tot&ttno 
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- Spam Domains mmm Trusted Domains 



Major Content Trends In Spam 
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Phishing Attacks Continue to Decline 



* 






In 2010, Phishing emails slowed and the 
volume did not reach the levels seen at the 
end of 2009. 

India is the top sender in terms of phishing 
volume, while Russia is in second place, and 
Brazil holds third place. 

• Newcomers in the top 10 are Ukraine, 
Taiwan, and Vietnam, while Argentina, 
Turkey, and Chile disappeared from this 
list. 

Over time popular subject lines continue to 
drop in importance. 

• By 201 0, the top 1 most popular 
subject lines only represented about 26 
percent of all phishing emails 



Phishing Volume Over Time 

April 2008 to December 2010 
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I Country 


I % of Phishing 


India 


1 5.5% 


Russia 


10.4% 


Brazil 


7.6% 


USA 


7.5% 


Ukraine 


6.3% 



I Country 


I % of Phishing 


South Korea 


4.7% 


Colombia 


3.0% 


Taiwan 


2.2% 


Vietnam 


2.2% 


Poland 


1 .8% 



Table 7: Geographical Distribution of Phisning Senders - 2010 
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Phishing Tools 
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Commercial phishing kits make it easy for a novice to 
start in the business 
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"Bad" Web Content Tries to Evade Filters 



* 






Approximately 7% of the Internet 
contains unwanted content such as 
pornographic or criminal Web sites. 

Anonymous proxies, which hide a target 
URL from a Web filter, have steadily 
increased more than quintupling in 
number since 2007. 



Content Distribution of the Internet 




0.245*. 



. 



Volume Increases of Anonymous Proxy Websites 

H2-2007 to H2-201 



600% 



500% 
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Report Summary - Attacks Continue Across all Security Domains 



Application and 
Process 


■ 2010 saw the largest number of vulnerability disclosures in history, up 27%. This increase 
has had a significant operational impact for anyone managing large IT infrastructures. More 
vulnerability disclosures can mean more time patching and remediating vulnerable systems. 

■ 49% of the vulnerabilities disclosed in 201 were web application vulnerabilities. 




■ 44% of all vulnerabilities disclosed had no vendor-supplied patches available at the end of 
2010. 




■ Bot network activity continued to grow in 2010. Consolidation among Trojan botnets is 


Data arid 
Information 


expected to be an emerging trend. 
■ The term "Advanced Persistent Threat" became an everyday part of the corporate security 
lexicon after high profile attacks on corporate enterprises by sophisticated, targeted 
attackers. 




1 Anonymous proxy websites continue to increase in volume, quintupling since 2007. 




■ The SQL Slammer worm first surfaced in January 2003 and became known as one of the most 
devastating Internet threats of the past decade. This worm continued to generate a great deal 
of traffic on the Internet in 201 0. 

■ Obfuscation, whereby attackers attempt to hide their activities and disguise their programming, 
continued to increase over 201 and shows no signs of waning. 


Network, Server, 
and End Point 




■ SQL injection is one of the leading attack vectors seen in 2010 because of its simplicity to 
execute and its scalability to compromise large amounts of Web servers across the Internet. 


People and Identity 


■ USA, India, Brazil, Vietnam, and Russia are the top five countries for spam origination in 2010. 

■ The vast majority of spam, more than 90%, is still classified as URL spam. 

■ The amount of URL spam using well-known and trusted domain names declined slightly in the 




2 nd half of 2010, for the first time in more than two years. 
' ■ The top spam domains have moved from China (.en) to Russia (.ru). 



In 2010, financial institutions continue to climb as the number one target for phishing attempts, 
representing 50% of the targeted industries. ©2011 ibm corporation 
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IBM's Approach To Helping You 
"Stay Ahead of the Threat' 
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Countering the Threats: 



Foundational Security Controls 



Policy Definition and Management 



COP* / Situational Awareness / Compliance Reporting 



Maintaining a Trusted Infrastructure 




Discover & 

Categorize 

Information 

Assets 



Foundational Controls 




Establish & 

Manage 

Identities and 

Access 



22 * Common Operational Picture 



Manage 
Internal 
Threat 

•Manage and 
monitor 

jrivileged use 
behavior 



Manage 
External 
Threats: 



Provide 
Physical 
Security 



Ensure 

Compliance 

with Policy 



D 2011 IBM Corporation 



IBM Security Solutions 



Our Strategy?: The IBM Security Framework 



Control Objectives for Information and related Technology 
(COBlT)4.1 




Additional Best Practice frameworks: 

Department of Homeland Security, National Jnfrastnjctif e Protection 
Program = Physical + Cyber [" Tech . Info , App") + Human 

Software Engineering Institute / CERT Resiliency Engneerrig 
Framework = Access Mgt & Control (" People) + Tech Mgt [ Tech") + 
Knowledge & Info Mgt (Info) + Supplier Relationship Mgt (type of 
ApplicationJFrocess"] + Environmental Control & Facilities Mgt. [" Physical"] 



Professional I Managed I Hardware 



services ■ services 
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Our strategy?: Be comprehensive, leverage partners 



Professional Services 
Managed Services 
Products 
Cloud Delivered 
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The Current Threat Landscape 

and 
IBM's Approach To Help You Address It Effectively 
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The Current Threat Landscape 

and 
IBM's Approach To Help You Address It Effectively 



■ The threat landscape continues to evolve 
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The Current Threat Landscape 

and 
IBM's Approach To Help You Address It Effectively 

■ The threat landscape continues to evolve 

■ World class research 

- IBM's security research group, X-Force, continues to lead in vulnerability identification and providing 
effective measures to keep IBM's customers "ahead of the threat" 
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The Current Threat Landscape 

and 
IBM's Approach To Help You Address It Effectively 

■ The threat landscape continues to evolve 

■ World class research 

- IBM's security research group, X-Force, continues to lead in vulnerability identification and providing 
effective measures to keep IBM's customers "ahead of the threat" 

- Investment 

- IBM is one of the largest security companies in the world with one of the broadest portfolios 
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The Current Threat Landscape 

and 
IBM's Approach To Help You Address It Effectively 

■ The threat landscape continues to evolve 

■ World class research 

- IBM's security research group, X-Force, continues to lead in vulnerability identification and providing 
effective measures to keep IBM's customers "ahead of the threat" 

■ Investment 

- IBM is one of the largest security companies in the world with one of the broadest portfolios 

- Looking ahead 

- Using a combination of our research, security assets, and broader IBM assets like analytics, watch 
out for innovative, new, products and features from IBM .... 

• Products and features that 

Provide unrivalled day security protection 

Automate reporting for compliance/audits 

Provide unique analytics to detect the new generation of advanced persistent threats 
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For More IBM X-Force Security Leadership 





X-Force Trend Reports 

The IBM X-Force Trend & Risk Reports provide statistical information about all 
aspects of threats that affect Internet security,. Find out more at 
http://www-935.ibm.com/service 

X-Force Security Alerts and Advisories 

Only IBM X-Force can deliver preemptive security due to our unwavering 
commitment to research and development and 24/7 global attack monitoring. 
Find out more at 





X-Force Blogs and Feeds 

For a real-time update of Alerts, Advisories, and other security issues, 
subscribe to the X-Force RSS feeds. You can subscribe to the X-Force 
alerts and advisories feed at or the Frequency X Blog 

at 
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